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SEC Adopts Updated Cybersecurity Rules 


On the same day the 24-year-old updates to Regulation S-P were 
announced, Interactive Brokers reported a customer data breach. 


Rob Burgess | May 24, 2024 


As coincidence would have it, the SEC adopted its updated cybersecurity 
rule changes on the same day that international brokerage and custodian 
Interactive Brokers reported a customer data breach. 


The firm filed a sample letter on May 16 with the Massachusetts Attorney 
General as an example of what it would send to around 600 clients whose 
personal information was exposed during a data breach in January, 
InvestmentNews and CityWire first reported. 


The SEC’s long-awaited rule changes, also announced on May 16, are an 
update to Regulation S-P which was first adopted in 2000. Those rules 
required broker/dealers, investment companies and RIAs to adopt written 
policies and procedures to safeguard customer records and information. 
They also mandated the disposal of consumer information and privacy 
policy notices and opt-out provisions. 


The newly adopted amendments require institutions to maintain written 
cyber breach incident response program procedures and notify affected 


customers promptly. The program must detect the scope of any breach and 
outline steps to prevent further leaks. Customers must be informed about 
such occurrences as soon as possible but no later than 30 days after the 
company becomes aware of a breach. 


“Over the last 24 years, the nature, scale, and impact of data breaches has 
transformed substantially,” SEC Chair Gary Gensler said in a statement. 
“These amendments to Regulation S-P will make critical updates to a rule 
first adopted in 2000 and help protect the privacy of customers’ financial 
data. The basic idea for covered firms is if you’ve got a breach, then you’ve 
got to notify. That’s good for investors.” 


Michael Cocanower, founder and CEO of AdviserCyber, said these new 
regulations reflect the SEC’s increasingly typical focus on cybersecurity. 
The landscape has changed drastically in the 24 years since the original 
Regulation S-P was put into place, he said. 


“This is likely to be the first of several dominoes to fall as it relates to the 
SEC’s heightened focus on cybersecurity and protecting the investing public 
from cybersecurity incidents at the firms they trust the most to hold and 
manage their savings and investments,” he said. 


The notification requirements allow customers to take defensive measures 
once their data has been exposed. Cocanower said he thought the 30-day 
window was sufficient to perform an investigation and deliver the notices as 
required to customers. However, that doesn’t mean it will be easy. 


“I don’t see any way that a firm, especially a small- or mid-sized one, would 
have the resources to do this alone,” he said. 


While the new regulations require written response policies and customer 
reporting, they do not mandate companies carry separate cyber insurance 
policies. Cocanower said proactively purchasing these policies separately 
from E&O can be an essential safeguard if a breach occurs. 


“Those policies can generally bring significant resources to bear in a very 
short timeframe that can cover everything from technical mitigation, 
investigation, legal counsel and resources for customer notification ... as 
well as an offer of credit monitoring services,” he said. 


The SEC’s amendments will become effective 60 days after publication in 

the Federal Register. Larger entities will have 18 months after the date of 
publication to comply with the amendments, and smaller entities will have 
24 months. 


